Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Last week we reported on developments in the Department of Defense (DoD) efforts to implement enhanced Defense Industrial Base cybersecurity requirements. Following our report, Katie Arrington, DoD Chief Information Security Officer in the Office of the Undersecretary of Defense for Acquisition and Sustainment, confirmed our thoughts that the DoD’s roll out of Cybersecurity Maturity Model Certification (CMMC) requirements in Requests for Proposals (RFPs) was likely to be impacted by COVID-19.

Specifically, she advised that the pilot RFPs to include CMMC are now on track to be released in November, approximately 60 days later than the originally targeted September roll out. She indicated that CMMC will not be included in DoD contracts until the rule is “completed.” The rule, which we understand will be a revision of the current DFARS clause, 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, to include CMMC rules, is now identified for completion in October. However, this schedule may change depending on whether DoD follows through on its statements that it is going to have the rule go through a formal public hearing and rulemaking before being finalized. Given COVID-19 shelter-in-place rules and travel restrictions, hosting an in-person public meeting on the proposed rule could pose challenges to this schedule. Perhaps DoD will instead host a virtual meeting to receive input into the revised rule. If so, it will have to take care to protect against cybersecurity hacking.

It is clear that China and other countries are increasing attacks on cyber targets. DoD contractors and their supply chains should be taking steps now to enhance their cybersecurity in accordance with the current version of CMMC. It is not a question of whether DoD will proceed to implement CMMC, but when. Further, contractors that have a Plan of Action and Milestones (POAM) to implement NIST SP 800-171 requirements should continue that implementation to ensure that they are complying with their contract requirements.

Notwithstanding the above, Ms. Arrington did advise that DoD Requests for Information for incorporation of CMMC rules into contract requirements are still planned for release in June.

Stay tuned for further developments. If you have questions about this alert, or other government contracting matters, contact Susan Warshaw Ebner, or your Stinson counsel.

On May 5, 2020, the Office of Management and Budget (OMB) approved the Office of Federal Contract Compliance Programs’ (OFCCP) revised voluntary self-identification of disability form. Federal contractors and subcontractors have until August 4, 2020, to adopt the new form for applicants and employees.

Pursuant to Section 503 of the Rehabilitation Act, federal contractors and subcontractors with at least 50 employees and contracts of $50,000 or more are required to invite applicants and employees to self-identify as people with disabilities. These same contractors are expected to set an annual 7% utilization goal for individuals with disabilities across all job groups.

In announcing the new form, OFCCP stated that it believes the revised form is more “streamlined” and will “increase the response rate” of individuals voluntarily disclosing their disability status. The form is now one page (instead of two), lists different examples of disabilities, and removes the reasonable accommodation notice.

Federal contractors should promptly evaluate the steps they must take to implement the new form into application and onboarding processes so that this process is complete by August 4.

The Government continues to take steps to address its Defense Industrial Base supply chain cybersecurity. Below are some of the emerging developments you should be following in this space:

Cybersecurity Maturity Model Certification (CMMC)

Previously we reported on the Department of Defense’s (DoD’s) activities to roll out a CMMC program. DoD has now rolled out a corrected version of the CMMC Model, version 1.02. The Model mandates that DoD contractors, and their supply chains, be certified to have systems in place that meet the certification level cybersecurity requirements for the data that they will be required to handle under DoD contracts and subcontracts.

The DoD Acquisition Council opened a rulemaking case to establish a clause for the inclusion of CMMC certification requirements in its procurements. DAR Case 2019-D041 provides for establishment of a rule that will implement “a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the [NIST SP 800-171] …, and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes.” Currently, the draft DFARS rule is being reviewed by the Office of Information and Regulatory Affairs (OIRA) at the Office of Management and Budget. Once it gets through this rulemaking process, and any concerns identified by OIRA are addressed, the rule should be ready for issuance in the Federal Register. It may be issued as an interim rule or as a proposed rule. However, it is a significant rule and must go through the procurement rule-making notice and comment process.

The previously announced schedule for roll out of CMMC was: establish CMMC-Accreditation Body (CMMC-AB) in January 2020, train certifiers, issue ten pilot Requests for Information by June 2020, issue pilot Requests for Proposals (RFPs) in September 2020, and award contracts containing CMMC provisions thereafter. Contractors must be certified at the designated CMMC level to receive these pilot awards. They must also ensure that their supply chains comply with mandated levels of certification where their performance involves Controlled Unclassified Information (CUI). Given the delays being experienced due to the COVID-19 situation, this schedule may be impacted.

CMMC-Accreditation Body (CMMC-AB)

DoD has entered into a Memorandum of Understanding (MOU) with the CMMC-AB, which will establish the standards, training, and processes for conducting the government contractor audits for certification purposes. The certifying persons or entities, once properly vetted through processes established by the CMMC-AB, will be known as CMMC Third Party Assessment Organizations (C3PAOs).

Apparently some entities are already claiming to be C3PAOs capable of providing companies with the CMMC certification needed to contract with the DoD in coming months. However, the CMMC-AB has not yet established its program. Nor has it conducted any training or certification of C3PAOs. Once it does, it will establish a CMMC Marketplace that will list approved C3PAOs.

Beware of entities that say that they can engage in review and certification now. At best, they are entities that would seek to assist you in getting ready for compliance. However, they cannot certify you. At worst, they may be entities seeking to access your systems and information for other than lawful purposes.

On April 22, 2020, the CMMC-AB issued an RFP for a continuous monitoring solution. The RFP called for responses by May 1, 2020, and anticipated selection of a solution by May 8, 2020. A CMMC-AB continuous monitoring system was not something identified in the CMMC. If actually implemented, a CMMC-AB continuous monitoring system is likely to pose a number of issues that will need to be addressed at the government, contractor and supply chain levels — from the basis of authority for such a system, to concerns about contractor privacy, to concerns about security of contractor systems issues arising from the monitoring solution, to the parameters for protecting a contractor’s crown jewels from unauthorized access and use by the Government and others.

Defense Contract Management Agency (DCMA) Cybersecurity Audits Continue

Pending implementation of the CMMC, it is our understanding that the DCMA is continuing to conduct its cybersecurity audits of the Defense Industrial Base (DIB) based on the cybersecurity clause, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, the DCMA Contractor Purchasing System Review Guidebook, Appendix 24, and the applicable standard, National Institute of Standards and Technology (NIST) Special Publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In February 2020, NIST issued a Revision 2 to NIST SP 800-171.

Controlled Unclassified Information (CUI)

The Federal Acquisition Regulatory (FAR) Council opened a rulemaking case in 2017, FAR Case 2017-016, to establish a rule to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. The current FAR Open Cases state that the rule has been drafted and is currently awaiting concurrence by the Civilian Agency Acquisition Council.

Contractors have been waiting for the rule for years now as CUI triggers the application of the cybersecurity standards. Knowing what is considered CUI is needed to establish where and what cybersecurity is required and which contractor systems are affected.

When finalized, these and other elements will need to be woven together to create the fabric of DoD cybersecurity that a DIB contractor and its supply chain must use to appropriately cover their systems and information.

Contact the author of this blog or your Stinson attorney if you have questions about this article, or government contracting matters.

 

Government contractors should consider all contract performance vitally important because they can’t always control which past performance is considered by agency evaluators. The recent Government Accountability Office (GAO) decision in Sayres & Associates Corporation (Sayres), B-418382 (March 31, 2020) reminds offerors that poor past performance, even under just one contract, can have lasting negative effects on the ability to receive awards.

The Department of the Navy (Navy) sought to obtain program management support services related to its DDG-1000 Destroyer program. To this end, the underlying request for proposals (RFP), issued in April 2018 as a small business set-aside, contemplated the award of a cost-plus-fixed-fee task order to an offeror holding a Navy SeaPort Enhanced contract.

The solicitation stated that award would be made on a best-value tradeoff based on three factors: (1) technical and management, (2) past performance, and (3) total evaluated price. The RFP provided that the technical factor was more important than past performance, and that the technical and past performance factors combined were significantly more important than price, though the price factor’s importance would increase if the proposals were otherwise equally matched or if there was a significant difference between the offerors’ prices such that the price premium reduced the value of superior ratings under other factors.

Under the past performance evaluation factor, the RFP required offerors to provide relevant past performance references, as well as past performance references for each significant subcontractor. In addition, the solicitation explained that the government could limit or, particularly relevant here, expand the number of references it contacts, as the government could contact references not provided by the offeror and review performance data obtained from government databases or personal knowledge. Overall, past performance would be evaluated based on recency, relevance, and quality, and assigned an adjectival rating of (1) substantial confidence, (2) satisfactory confidence, (3) limited confidence, (4) no confidence, or (5) unknown confidence.

The Navy received three offers. Sayres’s proposal received an Outstanding technical and management rating and a Satisfactory Confidence past performance rating, and had a total evaluated price of $70,229,306. Reliability and Performance Technologies, LLC’s (RPT’s) proposal received a Good technical and management rating and Substantial Confidence past performance rating, and had a total evaluated price of $59,203,221. That is, Sayres was higher-rated on the technical factor, lower-rated on past performance, and offered a higher price than RPT. Ultimately, the award was made to RPT.

Sayres protested on numerous grounds, including that the Navy improperly evaluated its past performance. The crux of Sayres’s argument was that the Navy improperly considered its past performance under a DDG-51 Destroyer program support contract. The DDG-51 support contract was not referenced in Sayres’s proposal. Moreover, according to Sayres, the Navy “cherry-picked” its review of the DDG-51 support contract performance, as there were more recent, and less negative, past performance reports, and, overall, the Navy placed undue importance on the DDG-51 support contract.

The Navy, in turn, argued that the DDG-51 support contract was particularly relevant to its evaluation, since Sayres’s work thereunder was most similar to the scope of the task order under the instant procurement for the DDG-1000 Destroyer program. The Navy also explained that it was first made aware of Sayres’s poor performance under the DDG-51 support contract because the DDG-51 and DDG-1000 programs had adjacent offices. Due to this knowledge, the Navy sought out the contract performance assessment reports (CPARs) for Sayres’s work under the DDG-51 support contract in its evaluation. These CPARs indicated unsatisfactory or marginal ratings in Sayres’s quality, schedule, and management performance.

The GAO agreed with the Navy. Noting that agencies have discretion in their evaluation of the relative merit and relevance of past performance references, the GAO found the Navy’s evaluation reasonable. Indeed, the solicitation put offerors on notice that the Navy could seek additional sources of past performance information from personal knowledge as well as government databases, such as the CPARS. Moreover, agencies are not required to seek out all possible sources of past performance information, for example, by interviewing officials in the relevant contracting office, and can reasonably choose to rely on the annual, final versions of CPARs as opposed to interim CPARs. To the extent that Sayres argued that the Navy should have considered more recent CPARs, i.e. from 2019 and 2020, these newer CPARs were not available when the proposals were evaluated in 2018. Thus, the GAO denied the protest on this ground.

For offerors, this decision serves as an important reminder that, in negotiated procurements, federal law requires that agencies consider the offerors’ past performance in determining the best value to the government. Depending on the solicitation, this past performance information may come from a number of sources, some of which offerors have no control over. In light of this, it is crucial that offerors consistently perform in a satisfactory or exemplary manner – even one misstep can tarnish a contractor’s past performance and hinder the ability to obtain future awards.

Despite “troubling” government conduct, the Armed Services Board of Contract Appeals (ASBCA) recently denied an appeal arising out of electrical work performed on a $38 million construction project involving the ground-up construction of four buildings for the United States Army. The dispute in Watts Constructors, LLC, ASBCA No. 61493 involved the use of rigid conduit as opposed to the more economical integrated metal clad (MC) cable in the running of electrical power lines through the newly constructed buildings. While the ASBCA’s decision was ultimately based upon an application of the contract’s plain language, the factual twist relating to the government’s conduct during the construction process is something to note for all contractors and subcontractors.

The contract and specifications contained numerous references to conduit and other rigid wiring requirements suggesting that conduit, and not MC cable, were required. Additionally, the contract drawings exclusively referenced conduit-related materials. Despite these statements, there were a few instances in the contract and specifications that also mentioned MC cable. The electrical subcontractor, apparently relying upon these few instances, proceeded with the wiring of the facilities using nearly half MC cable products and completed nearly three of the four buildings before the Government’s quality assurance electrical engineer informed it that its use of the MC cable was in violation of the contract and would have to be redone. Notably, the project had been inspected on several other occasions by other government quality assurance personnel, but never by the quality assurance individual specifically responsible for the electrical work.

Upon receiving this notification, the subcontractor was forced to remove a substantial portion of the installed MC cable, requiring the removal of walls and other materials surrounding the installed electrical work. As a result, the subcontractor submitted a claim to the prime for approximately $415,000, which the prime then passed-through to the government.

On appeal from the contracting officer’s denial, the ASBCA ruled against the contractor, primarily citing the contract’s plain language. Noting its interpretation must “give reasonable meaning to all [] parts of the contract,” the ASBCA nevertheless found that the subject contract contained “unnecessary boilerplate” language describing cabling types that were plainly not intended to be used in the construction—including MC cable. The ASBCA determined the contract language and specifications left “no room for doubt that only rigid conduit” could be used to the exclusion of MC cable and, thus, its finding against the contractor was supported by the contract’s plain language.

The more interesting aspect of the decision was the ASBCA’s finding that the Army had not acquiesced to the use of the MC cable or waived its right to enforce the otherwise plain contract language. First, because the ASBCA found the contract was not ambiguous, it noted that it was not required to go beyond the contract language to “divine its meaning.”

Second, and perhaps most interesting, the ASBCA found that the silence on the part of the quality assurance inspectors that examined the work prior to the government’s communication that the MC cable was not permissible was not “particularly helpful” in interpreting the contract requirements. The ASBCA further found that no waiver had occurred because “there [wa]s no evidence that any government personnel knowingly waived the contractual terms inasmuch as the quality assurance representatives on site who observed the use of MC appear to have been of the opinion that it was not precluded by the contract.”

The decision raises some very important takeaways all contractors should keep in mind. One, if there are contradictory or superfluous terms in the contract, clarification should be sought at the outset and documented in writing. Two, despite months or years of work being performed and apparently inspected in a manner consistent with the contractor’s interpretation, in the end, the contract language may still control regardless of the government’s conduct. Finally, if there are multiple trades and multiple government quality assurance inspectors involved in a project, it would behoove the contractor to get formal approval of their work by the responsible trade-specific inspector as early in performance as possible. Had this occurred here, the contractor would have likely saved hundreds of thousands of dollars and potentially avoided having to navigate the appeals process.